Mailman cannot relay e-mails to non-local domains

My e-mail server runs Debian with postfix, dovecot, amavis, mailman, with postfixadmin in a virtual domain setup. All works fine, except for mailman which is not able to relay e-mails to non-local domains ("relay access denied"), while I can relay e-mails to any recipient with postfix authenticated smtp.

Here follows my setup.

postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
bounce_template_file = /etc/postfix/bounce.cf
broken_sasl_auth_clients = no
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mailbox_size_limit = 0
message_size_limit = 0
mydestination = $myhostname, localhost.my-domain.it, localhost
mydomain = my-domain.it
myhostname = postino.my-domain.it
mynetworks = 127.0.0.0/8, x.x.x.x/32
myorigin = /etc/mailname
owner_request_special = no
propagate_unmatched_extensions = canonical
readme_directory = no
receive_override_options = no_address_mappings
recipient_delimiter = _
relay_domains = lists.my-domain.it
relayhost = 
show_user_unknown_table_name = no
smtp_tls_note_starttls_offer = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_error_sleep_time = 10
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,check_helo_access hash:/etc/postfix/access,reject_invalid_helo_hostname
smtpd_junk_command_limit = 3
smtpd_recipient_restrictions = reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_recipient,reject_non_fqdn_sender,reject_unauth_destination,reject_unauth_pipelining,reject_unknown_recipient_domain,reject_unknown_sender_domain,check_policy_service unix:private/policyd-spf,check_policy_service inet:127.0.0.1:10023,reject_rbl_client cbl.abuseat.org,reject_rbl_client dnsbl.njabl.org,permit_auth_destination,reject
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/access,reject_unknown_sender_domain,reject_non_fqdn_sender
smtpd_soft_error_limit = 2
smtpd_tls_always_issue_session_ids = no
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
smtpd_tls_key_file = /etc/ssl/private/postfix.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000

master.cf

smtp      inet  n       -       -       -       -       smtpd
submission inet n       -       -       -       -       smtpd
  -o smtpd_etrn_restrictions=reject
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlistsd_sender=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o content_filter=smtp-amavis:[127.0.0.1]:10026
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
    -o smtp_fallback_relay=
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache

maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -   n   n   -   2   pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}

dovecot   unix  -       n       n       -       -       pipe
    flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient}

smtp-amavis unix -      -       n     -       20  smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

127.0.0.1:10025 inet n  -       -     -       -  smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
    -o local_header_rewrite_clients=

policyd-spf  unix  -       n       n       -       0       spawn
    user=nobody argv=/usr/bin/python /usr/bin/policyd-spf /etc/postfix-policyd-spf-python/policyd-spf.conf

/etc/postfix/transport

lists.my-domain.it   mailman:

The error in the logs:

May 11 09:06:42 gabble postfix/smtpd[8390]: NOQUEUE: reject: RCPT from www.my-domain.it[127.0.0.1]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<gabble.my-domain.it>

Thanks in advance for any help you will offer.


Solution 1:

The relay_domains parameter determines which domains Postfix relays to -- that is, the domains that your email server will accept mail for in addition to its mailname -- so this line isn't going to help you here (I assume this is what you are trying to achieve with it, anyway).

You are restricting the MAIL FROM address to those listed in /etc/postfix/access -- make sure that includes lists.my-domain.it.

You have reject_unauth_destination fairly early in your smtpd_recipient_restrictions line, and according to postconf(5), that rejects unless either

  • the resolved RCPT TO domain matches $relay_domains or a subdomain thereof, or
  • Postfix is the final destination: the resolved RCPT TO domain matches $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, or $virtual_mailbox_domains

If you want this box to be able to send out any mail that it generates, you need to add permit_mynetworks before reject_unauth_destination, so that mail coming from your networks is approved regardless of where it is going.